Microsoft.Azure.OperationalInsights returns 'Forbidden' message for service principle

Richard Smem 6 Reputation points
2021-12-15T09:48:06.473+00:00

I am trying to read insights of a resource in azure. I am getting the error as: 

Operation returned an invalid status code 'Forbidden'

The service principle has been given 'Log Analytics Reader' role on the subscription of the workspace. 

`
Microsoft.Azure.Management.ResourceManager.Fluent.Authentication.AzureCredentials credentials =
 Microsoft.Azure.Management.ResourceManager.Fluent.SdkContext.AzureCredentialsFactory.FromServicePrincipal(
 "clientId", 
 "clientSecret", 
 "tenantId", 
 Microsoft.Azure.Management.ResourceManager.Fluent.AzureEnvironment.AzureGlobalCloud);

var client = new Microsoft.Azure.OperationalInsights.OperationalInsightsDataClient(credentials);
client.WorkspaceId = @"workspaceId";
var results = client.QueryWithHttpMessagesAsync("union * | take 5").Result;

`

The solution to status code: unauthorised is using delegated permissions, but I need an authentication token without userinteraction.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,799 questions
Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
635 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,237 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Monalla-MSFT 11,636 Reputation points
    2021-12-16T02:21:13.577+00:00

    @Richard Smem - Thanks for reaching out.

    It looks like you do not have application permissions. Service principal with clientId and clientSecret needs application permission to work, not delegate permission.

    Also you can take a look at these docs for more information on Application objects and Service principals: app-objects-and-service-principals

    You typically use delegated permissions when you want to call the Web API as the logged-on user. For example, that the Web API needs to filter the data it returns based on who the user is or execute some action as the logged in user. Or even just to log which user was initiating the call.

    Application permissions are used when the application calls the API as itself. For example, to get the weather forecast for a certain zip code (it does not matter which user is logged on). The client can even call the API when there's no user present (some background service calling the API to update some status).

    Hope that helps.

    -----------------------------------------------------

    If the above response helped, please feel free to "Accept as Answer" so it can be beneficial to the community.

    0 comments